W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Transfer-codings, mandatory content-coding support and intermediaries

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 21 Apr 2014 09:35:18 -0700
Message-ID: <CABkgnnXSAo5mSP9UBnGzAio2_PJ0JGxppwx8yRbDonX84JRMpw@mail.gmail.com>
To: Albert Lunde <atlunde@panix.com>
Cc: Matthew Kerwin <matthew@kerwin.net.au>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 21 April 2014 06:54, Albert Lunde <atlunde@panix.com> wrote:
> I doubt that most web browser clients have a security model
> that can reliably identify "potentially-attacker-supplied data"; too much of
> the content, including JavaScript _is_ potentially-attacker-supplied, and
> there are too many back doors from one context to another.

That's not true.  Web browser clients have very robust attribution
models.  We don't necessarily want to use those, because it's a fair
complexity burden.

The real problem here is less with clients, but servers.  The BEAST
demonstrations exploited servers that dynamically compressed content
without regard to the source of the compressed content.
Received on Monday, 21 April 2014 16:35:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC